Overview

This article provides confirmation/validation to identify if our EAAA application is affected by the Zero-day vulnerability called Spring4Shell. The specific version vulnerable to this is CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

More details of the vulnerability:

• https://tanzu.vmware.com/security/cve-2022-22965
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

Solution

The vulnerability is applicable for Java JDK version 9+, the JDK used by our application is JDK version 6 on release 6.XX and JSK version 7 on release 7.XX, so it will not have any impact.

Further, the Java/JDK version can be verified using the following commands:

[eliteaaa@AAA-Apps01 ~]$ which java
~/JAVA/jdk1.6.0_45/bin/java

[eliteaaa@AAA-Apps01 ~]$ java -version
java version "1.6.0_45"
Java(TM) SE Runtime Environment (build 1.6.0_45-b06)
Java HotSpot(TM) 64-Bit Server VM (build 20.45-b01, mixed mode)